Most of the risks we face on a project are independent of
other risks. These types of risks are easier to identify and easier to manage.
However, there are times when risks are connected. That is, it’s possible that
certain risks will only appear as a result of actions taken as a result of
managing another risk. That’s where the decision tree is used. A decision tree
is a technique for determining the overall risk associated with a series of related
risks.

For example, let’s say your project is going to need to
place a large equipment order. You think there is a 20% risk that your primary
hardware supplier may not be able to provide all the equipment you need for a
large order in a timely manner. This could be risk A. As a part of the risk
response plan, you decide to talk to a second vendor to see if they can help
fulfill the equipment order on short notice. They normally have the equipment
in stock. However, you also discover that there is a 25% possibility that there
may be a disruption in their plant because of a potential strike. This is risk
B.

Do you see how the two risks are related? Risk A is the
primary project risk. If you can successfully manage Risk A, there will be no
reason to work with the second vendor and therefore risk B will never enter
into the project. However, if risk A comes true, then your risk plan will need
to deal with a second risk B.

Of course, what you really want to know is what the chance is
that risk A will come true (your primary vendor cannot fulfill the entire
order) AND risk B will also come
true (the backup vendor goes on strike). That would be the worst case scenario
for you. The total risk is calculated by multiplying the individual risks.
Since there is a 20% chance of risk A, and a 25% chance of risk B, the
probability that both risks will occur is 5% (.20 * .25). 

You can use risk trees to come up with financial
implications as well. Let’s look at the following generic decision tree that is
slightly more complex.

Figure A

This decision tree shows two risks–A and B. Risk A has two
outcomes. Outcome 1 is 20% likely to occur and outcome 2 is 80% likely to
occur. The monetary value of Risk A is $10,000. If outcome A occurs, a second
Risk B is introduced and there are three likely outcomes, 1.1, 1.2 and 1.3. The
monetary value of Risk B is $30,000. Using the decision tree, you see that the
financial risks of the various outcomes are as follows:

  • Outcome
    1.1 has a financial risk of $9,500 ($10,000 * .2) + ($30,000 * .25)
  • Outcome
    1.2 has a financial risk of $23,000 ($10,000 * .2) + ($30,000 * .70) 
  • Outcome
    1.3 has a financial risk of $3,500 ($10,000 * .2) + ($30,000 * .05).
  • Outcome
    2 has a financial risk of $8,000 ($10,000 * .8)

What this tells you is that we should try to achieve outcome
1.3 if possible. It has the smallest financial risk impact. If you don’t think
you can achieve outcome 1.3 (and there is only a 1% chance you can (.2 * .05)),
you should try for outcome 2. There is an 80% chance you can hit outcome 2.

You can see that this process can get complicated.
Fortunately, most risks on your project are independent of each other. However,
when you discover that one risk leads to another dependent risk (and perhaps
more dependent risks), the decision tree can help you determine the probability
and impact of each risk combination.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays